Thought Leadership

Publishers beware! Malvertising is a growing threat

April 23, 2013

By John Clyman

Malware-infected ads, or “malvertising”, are rare. But they do exist, and an unchecked attack can be quite damaging. So 24 hours a day, 365 days a year, from more than a dozen countries (and growing) around the globe, the Rubicon Project’s automated brand protection systems scan ads to look for any signs of unexpected behavior—behavior that might indicate an ad has been hijacked in order to serve malware to unsuspecting users.

Sometimes this behavior is overt: Malware may try to frighten users into, say, wasting money buying worthless “anti-virus” software. Other times the malicious behavior is completely invisible and detectable only by specialized instrumentation. This stealth malware aims to infest a computer without its owner’s knowledge, often with a goal like stealing private information or putting the machine to use as a node in a botnet, where it could send spam or try to disable sites by participating in DDoS (distributed denial-of-service) attacks.

Regardless of what the malware authors’ goals and financial incentives may be, we’ve invested in our continuous monitoring capabilities so that we can automatically block a suspect ad from serving the moment our platform detects impermissible activity—no matter what time of day or where in the world it’s taking place.

With the first quarter of 2013 behind us, we compiled some statistics that illustrate how this capability protects publishers and the users who visit their sites.

Malvertising activity tends to ebb and flow. On most days in Q1—those colored green on the adjacent calendar—we saw no attempts at malicious activity at all. We observed and quashed threats on just 26 of the 90 days in the quarter.

The most intense activity occurred on Saturdays or Sundays: More than half of the total threats we identified and blocked occurred on weekends. That’s remarkable, but not really surprising. Over several years of screening, we’ve observed again and again that malware authors disproportionately time their efforts to launch over the weekends and on holidays. Presumably they assume response times will be lower, allowing their malware to infect more computers, when most people in the online ad industry aren’t in the office working. Of course, because our systems block suspicious ads automatically and immediately, it doesn’t matter whether they detect issues during business hours or at 2 a.m. on a Sunday.

Although we detected the bulk of threats when screening from within the U.S., our systems did also find and block a handful of infected ads elsewhere, including one from another North American country and several in Europe.

Because the potential impact of malvertising is so large, even if the absolute rate at which it occurs is low, we’re continuing to expand and improve our screening capabilities—and also the ways we provide insight into what sort of threats those capabilities are detecting and blocking. So as time goes on, we’ll have much more to write about and to show.